Google has issued an urgent security update for its Chrome browser to address a critical zero-day vulnerability, identified as CVE-2025-4664, which is currently being actively exploited. This flaw arises from insufficient policy enforcement within Chrome’s Loader component, potentially allowing attackers to bypass security protocols and execute unauthorized code or access cross-origin data through specially crafted HTML pages.
The vulnerability was first disclosed by security researcher @slonser_ on May 5, 2025, indicating that malicious actors may have been exploiting this flaw for several days prior to the release of the patch. In response, Google has updated Chrome’s Stable channel to version 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux, effectively mitigating this security risk.
In addition to CVE-2025-4664, the update also addresses another high-severity vulnerability, CVE-2025-4609, which involves incorrect handle management in Mojo, Chrome’s inter-process communication system. Exploiting this flaw could lead to privilege escalation and memory corruption, posing significant risks to users.
Google has acknowledged the contributions of external researchers, including @slonser_ and Micky, who reported these vulnerabilities. The company continues to enhance Chrome’s security through internal tools like AddressSanitizer, which has identified over 300 bugs in the Chromium project.
Given the critical nature of these vulnerabilities, users are strongly advised to update their Chrome browsers immediately. To verify your current version and initiate an update, navigate to chrome://settings/help in your browser. The latest versions are Chrome 136.0.7103.113/.114 for Windows and Mac, and Chrome 136.0.7103.113 for Linux. Android users will receive Chrome 136.0.7103.125 through Google Play, which includes the same security fixes as the desktop versions.
This incident underscores the ongoing security challenges faced by web browsers that process untrusted content from the internet. With Chrome holding approximately 65% of the global browser market share, it remains a prime target for malicious actors. Google’s proactive approach, including rapid patch deployment and transparent vulnerability disclosure, is crucial in safeguarding billions of users worldwide.
